Table of Contents Chapter 1: Web Application (In)security The Evolution of Web Applications Web Application Security Summary Chapter 2: Core Defense Mechanisms Handling User Access Handling User Input Handling Attackers Managing the Application Summary Questions Chapter 3: Web Application Technologies The HTTP Protocol Web Functionality Encoding Schemes Next Steps Questions Chapter 4: Mapping the Application Enumerating Content and Functionality Analyzing the Application Summary Questions Chapter 5: Bypassing Client-Side Controls Transmitting Data Via the Client Capturing User Data: HTML Forms Capturing User Data: Browser Extensions Handling Client-Side Data Securely Summary Questions Chapter 6: Attacking Authentication Authentication Technologies Design Flaws in Authentication Mechanisms Implementation Flaws in Authentication Securing Authentication Summary Questions Chapter 7: Attacking Session Management The Need for State Weaknesses in Token Generation Weaknesses in Session Token Handling Securing Session Management Summary Questions Chapter 8: Attacking Access Controls Common Vulnerabilities Attacking Access Controls Securing Access Controls Summary Questions Chapter 9: Attacking Data Stores Injecting into Interpreted Contexts Injecting into SQL Injecting into NoSQL Injecting into XPath Injecting into LDAP Summary Questions Chapter 10: Attacking Back-End Components Injecting OS Commands Manipulating File Paths Injecting into XML Interpreters Injecting into Back-end HTTP Requests Injecting into Mail Services Summary Questions Chapter 11: Attacking Application Logic The Nature of Logic Flaws Real-World Logic Flaws Avoiding Logic Flaws Summary Questions Chapter 12: Attacking Users: Cross-Site Scripting Varieties of XSS XSS Attacks in Action Finding and Exploiting XSS Vulnerabilities Preventing XSS Attacks Summary Questions Chapter 13: Attacking Users: Other Techniques Inducing User Actions Capturing Data CrossDomain The SameOrigin Policy Revisited Other Client-Side Injection Attacks Local Privacy Attacks Attacking ActiveX Controls Attacking the Browser Summary Questions Chapter 14: Automating Customized Attacks Uses for Customized Automation Enumerating Valid Identifiers Harvesting Useful Data Fuzzing for Common Vulnerabilities Putting It All Together: Burp Intruder Barriers to Automation Summary Questions Chapter 15: Exploiting Information Disclosure Exploiting Error Messages Gathering Published Information Using Inference Preventing Information Leakage Summary Questions Chapter 16: Attacking Native Compiled Applications Buffer Overflow Vulnerabilities Integer Vulnerabilities Format String Vulnerabilities Summary Questions Chapter 17: Attacking Application Architecture Tiered Architectures Shared Hosting and Application Service Providers Summary Questions Chapter 18: Attacking the Application Server Vulnerable Server Configuration Vulnerable Server Software Web Application Firewalls Summary Questions Chapter 19: Finding Vulnerabilities in Source Code Approaches to Code Review Signatures of Common Vulnerabilities The Java Platform ASP.NET PHP Perl JavaScript Database Code Components Tools for Code Browsing Summary Questions Chapter 20: A Web Application Hacker's Toolkit Web Browsers Integrated Testing Suites Standalone Vulnerability Scanners Other Tools Summary Chapter 21: A Web Application Hacker's Methodology General Guidelines 1 Map the Application's Content 2 Analyze the Application 3 Test Client-Side Controls 4 Test the Authentication Mechanism 5 Test the Session Management Mechanism 6 Test Access Controls 7 Test for Input-Based Vulnerabilities 8 Test for Function-Specific Input Vulnerabilities 9 Test for Logic Flaws 10 Test for Shared Hosting Vulnerabilities 11 Test for Application Server Vulnerabilities 12 Miscellaneous Checks 13 Follow Up Any Information Leakage Introduction Chapter 1 Web Application (In)security There is no doubt that web application security is a current and newsworthy subject. For all concerned, the stakes are high: for businesses that derive increasing revenue from Internet commerce, for users who trust web applications with sensitive information, and for criminals who can make big money by stealing payment details or compromising bank accounts. Reputation plays a critical role. Few people want to do business with an insecure website, so few organizations want to disclose details about their own security vulnerabilities or breaches. Hence, it is not a trivial task to obtain reliable information about the state of web application security today. This chapter takes a brief look at how web applications have evolved and the many benefits they provide. We present some metrics about vulnerabilities in current web applications, drawn from the authors' direct experience, demonstrating that the majority of applications are far from secure. We describe the core security problem facing web applications — that users can supply arbitrary input — and the various factors that contribute to their weak security posture. Finally, we describe the latest trends in web application security and how these may be expected to develop in the near future. The Evolution of Web Applications In the early days of the Internet, the World Wide Web consisted only of web sites. These were essentially information repositories containing static documents. Web browsers were invented as a means of retrieving and displaying those documents, as shown in Figure 1.1. The flow of interesting information was one-way, from server to browser. Most sites did not authenticate users, because there was no need to. Each user was treated in the same way and was presented with the same information. Any security threats arising from hosting a website were related largely to vulnerabilities in web server software (of which